[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2024-35896":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T14:53:31.930Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":19,"related":20,"reserved_at":9,"published_at":21,"modified_at":22,"state":9,"summary":23,"references_raw":25,"kevs":32,"epss":9,"epss_history":33,"metrics":34,"affected":41},"DEBIAN-CVE-2024-35896","In the Linux kernel, the following vulnerability has been resolved:  netfilter: validate user input for expected length  I got multiple syzbot reports showing old bugs exposed by BPF after commit 20f2505fb436 (\"bpf: Try to avoid kzalloc in cgroup/{s,g}etsockopt\")  setsockopt() @optlen argument should be taken into account before copying data.   BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]  BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]  BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]  BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627 Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238  CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace:  \u003CTASK>   __dump_stack lib/dump_stack.c:88 [inline]   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114   print_address_description mm/kasan/report.c:377 [inline]   print_report+0x169/0x550 mm/kasan/report.c:488   kasan_report+0x143/0x180 mm/kasan/report.c:601   kasan_check_range+0x282/0x290 mm/kasan/generic.c:189   __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105   copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]   copy_from_sockptr include/linux/sockptr.h:55 [inline]   do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]   do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627   nf_setsockopt+0x295/0x2c0 net/netfilter/nf_sockopt.c:101   do_sock_setsockopt+0x3af/0x720 net/socket.c:2311   __sys_setsockopt+0x1ae/0x250 net/socket.c:2334   __do_sys_setsockopt net/socket.c:2343 [inline]   __se_sys_setsockopt net/socket.c:2340 [inline]   __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340  do_syscall_64+0xfb/0x240  entry_SYSCALL_64_after_hwframe+0x72/0x7a RIP: 0033:0x7fd22067dde9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003C48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd21f9ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fd2207abf80 RCX: 00007fd22067dde9 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007fd2206ca47a R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000880 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000000b R14: 00007fd2207abf80 R15: 00007ffd2d0170d8  \u003C/TASK>  Allocated by task 7238:   kasan_save_stack mm/kasan/common.c:47 [inline]   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68   poison_kmalloc_redzone mm/kasan/common.c:370 [inline]   __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:387   kasan_kmalloc include/linux/kasan.h:211 [inline]   __do_kmalloc_node mm/slub.c:4069 [inline]   __kmalloc_noprof+0x200/0x410 mm/slub.c:4082   kmalloc_noprof include/linux/slab.h:664 [inline]   __cgroup_bpf_run_filter_setsockopt+0xd47/0x1050 kernel/bpf/cgroup.c:1869   do_sock_setsockopt+0x6b4/0x720 net/socket.c:2293   __sys_setsockopt+0x1ae/0x250 net/socket.c:2334   __do_sys_setsockopt net/socket.c:2343 [inline]   __se_sys_setsockopt net/socket.c:2340 [inline]   __x64_sys_setsockopt+0xb5/0xd0 net/socket.c:2340  do_syscall_64+0xfb/0x240  entry_SYSCALL_64_after_hwframe+0x72/0x7a  The buggy address belongs to the object at ffff88802cd73da0  which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes inside of  allocated 1-byte region [ffff88802cd73da0, ffff88802cd73da1)  The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802cd73020 pfn:0x2cd73 flags: 0xfff80000000000(node=0|zone=1|lastcpupid=0xfff) page_type: 0xffffefff(slab) raw: 00fff80000000000 ffff888015041280 dead000000000100 dead000000000122 raw: ffff88802cd73020 000000008080007f 00000001ffffefff 00 ---truncated---",null,[],[],[],[14],{"_key":15},"CVE-2024-35896",[17],{"_key":18},"DLA-3842-1",[],[],"2024-05-19T09:15:10.557Z","2026-04-28T20:28:00.763782Z",{"cisa_kev":24,"cisa_ransomware":24,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[26],{"url":27,"sources":28,"tags":30},"https://security-tracker.debian.org/tracker/CVE-2024-35896",[29],"osv_debian",[31],"Advisory",[],[],[35],{"source":29,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":36,"cvss_v4_0":9},{"baseScore":37,"baseSeverity":9,"vectorString":38,"impactScore":39,"exploitabilityScore":40},7.1,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",8.7,4.6,[42],{"ecosystem":43,"name":44,"vendor":45,"product":44,"cpe_part":9,"purl_type":46,"purl_namespace":45,"purl_name":44,"source":9,"versions":47},"Debian","linux","debian","deb",[48,54,57,60],{"version":49,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":52,"version_end_type":53,"fixed_in":9},"lt5_10_216_1",true,"ecosystem","5.10.216-1","excluding",{"version":55,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":56,"version_end_type":53,"fixed_in":9},"lt6_1_85_1","6.1.85-1",{"version":58,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":59,"version_end_type":53,"fixed_in":9},"lt6_8_9_1","6.8.9-1",{"version":58,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":59,"version_end_type":53,"fixed_in":9}]